b'        U.S. Department of Energy\n        Office of Inspector General\n        Office of Audit Services\n\n\n\n\nAudit Report\nThe Office of Science\'s\nManagement of Information\nTechnology Resources\n\n\n\n\nDOE/IG-0831                      November 2009\n\x0c                                 Department of Energy\n                                    Washington, DC 20585\n                                       November 20, 2009\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                    Gregory H. Friedman\n                         Inspector General\nSUBJECT:                 Audit Report on "The Office of Science\'s Management of Information\n                         Technology Resources"\n\nBACKGROUND\n\nThe Department of Energy\'s Office of Science (Science) and its facility contractors are\naggressive users of information technology (IT) to support fundamental research in areas\nsuch as energy, environmental remediation and computational sciences. Of its $4 billion\nFiscal Year 2008 budget, Science spent about $287 million to manage its IT program.\nThis included cyber security activities, acquisition of hardware and software, and support\nservice costs used to maintain the operating environments necessary to support the\nmissions of the program.\n\nPrior Office of Inspector General reports have identified various issues with Science\'s\nmanagement of its IT programs and resources. For instance, our report on Facility\nContractor Acquisition and Management of Information Technology Hardware\n(DOE/IG-0768, June 2007) noted that the Science sites reviewed spent more than\nnecessary when acquiring IT hardware. In another example, our review of The\nDepartment\'s Efforts to Implement Common Information Technology Services at\nHeadquarters (DOE/IG-0763, March 2007) disclosed that Science\'s reluctance to adopt\nthe Department of Energy Common Operating Environment (DOE-COE) at Headquarters\ncontributed to the Department\'s inability to fully realize potential cost savings through\nconsolidation and economies of scale. In light of the magnitude of the Office of Science\nIT program and previously identified program weaknesses, we initiated this audit to\ndetermine whether Science adequately managed its IT resources.\n\nRESULTS OF AUDIT\n\nScience had taken a number of actions to improve its cyber security posture and align its\nprogram to Federal requirements. Yet, our review disclosed that it had not taken some\nbasic steps to enhance security and reduce costs. In particular, we found that:\n\n     \xe2\x80\xa2   For their non-scientific computing environments, all seven of the field sites\n         reviewed (two Federal, five contractor) had implemented security configurations\n         that were less stringent than those included in the Federal Desktop Core\n         Configuration. This configuration was designed by the National Institute of\n         Standards and Technology and its use was mandated by the Office of Management\n         and Budget;\n\x0c                                                 2\n\n\n     \xe2\x80\xa2   Although we previously highlighted weaknesses and recommended corrective\n         actions, Science still had not fully established or enforced IT hardware standards\n         for acquiring hardware such as desktop and laptop computers or related\n         peripherals, contributing to significant unnecessary expenditures; and,\n\n     \xe2\x80\xa2   While we have noted in a series of past reports that significant savings could be\n         realized from aggregating demand for IT services and products across the\n         enterprise, Science had not implemented a common infrastructure for users at its\n         Federal sites and continued to maintain an IT environment independent of the\n         Department\'s Common IT Operating Environment.\n\nThe weaknesses identified were attributable, at least in part, to a lack of adequate policies\nand procedures for ensuring effective cyber security and hardware acquisition practices.\nIn addition, Science had not effectively monitored the performance of its field sites to\nensure that previously reported internal control weaknesses were addressed and had not\nimplemented an appropriate mechanism to track its IT-related costs.\n\nWithout improvements, Science may be unable to realize the benefits of improved\nsecurity over its information systems, reduce costs associated with hardware acquisition,\nand lower IT support costs through consolidation of services. In particular, we\ndetermined that Science could potentially realize savings of more than $3.3 million over\nthe next three years by better controlling hardware costs and implementing standards for\ncertain equipment. Furthermore, Science could continue to pay for duplicative IT support\nservices and fail to take advantage of opportunities to lower costs and apply potential\nsavings to mission-related work.\n\nDuring the course of our audit work, we learned from Science officials that they had\ninitiated the process of revising the Program Cyber Security Plan to better clarify its\npolicy for implementing Federal cyber security requirements. In addition, we noted that\nthe Oak Ridge National Laboratory had taken action to establish and enforce hardware\nstandards on both its administrative and scientific workforce. Although these actions are\npositive steps, additional action is needed to strengthen Science\'s IT program. To that\nend, our report contains several recommendations that, if fully implemented, should help\nScience improve the management of its IT resources.\n\nMANAGEMENT REACTION\n\nManagement generally concurred with the first three recommendations, but did not\nconcur with our recommendation that it evaluate joining the Department\'s common IT\nenvironment. Management indicated that it planned to address many of the issues\nidentified in our report. However, management believed that its decision not to\nparticipate in DOE-COE was appropriately justified. Management\'s comments are\nincluded in their entirety in Appendix 3.\n\nAttachment\n\x0c                                  3\n\n\n\ncc: Deputy Secretary\n    Chief of Staff\n    Under Secretary for Science\n    Chief Information Officer\n\x0cREPORT ON THE OFFICE OF SCIENCE\'S MANAGEMENT OF\nINFORMATION TECHNOLOGY RESOURCES\n\n\nTABLE OF\nCONTENTS\n\nScience Information Technology Management Program\n\nDetails of Finding ................................................................................................................1\n\nRecommendations and Comments.....................................................................................10\n\n\nAppendices\n\n1.    Objective, Scope, and Methodology ..........................................................................13\n\n2.    Prior Reports...............................................................................................................15\n\n3.    Management Comments.............................................................................................16\n\x0cScience Information Technology Management Program\n\nManagement of          The Office of Science (Science) had dedicated $287 million in\nInformation Technology Fiscal Year (FY) 2008 to information technology (IT) activities\nResources              including, among other things, cyber security activities,\n                       acquisition of IT hardware and software, and maintaining IT\n                       services necessary to support the missions of the program.\n                       However, our review of seven sites and Headquarters disclosed\n                       that Science had not adequately managed its IT resources. In\n                       particular, we found that none of the sites reviewed had fully\n                       implemented the Office of Management and Budget\'s (OMB)\n                       mandated initiative for enhancing security configurations on\n                       their information systems. In addition, Science had not always\n                       established or enforced IT hardware standards and it spent\n                       significantly more than necessary to acquire hardware.\n                       Furthermore, Science had not implemented a common support\n                       services infrastructure for users at its Federal sites and\n                       continued to maintain an IT environment independent of the\n                       Department of Energy Common Operating Environment\n                       (DOE-COE).\n\n                                           Secure System Configurations\n\n                           The Federal Desktop Core Configuration (FDCC) was\n                           designed by the National Institute of Standards and Technology\n                           (NIST) to improve overall cyber security and reduce IT costs at\n                           Federal agencies. We recognize that FDCC is only one part of\n                           an organization\'s strong defense-in-depth program. However,\n                           despite the benefits of FDCC and the OMB mandate to either\n                           implement FDCC settings on agency systems by February 1,\n                           2008, or document why deviations from the settings were\n                           necessary, all seven field sites reviewed had implemented\n                           security configuration settings that were less stringent than\n                           those required by the FDCC. In addition, although Science\n                           Headquarters had documented its rationale for deviating from\n                           the FDCC configuration, none of the seven field sites had\n                           identified and documented their deviations, as required.\n\n                           While six of seven field sites reviewed had implemented\n                           security configurations that were based on benchmarks\n                           developed by the widely recognized Center for Internet\n                           Security (CIS), we found that all seven of the sites had\n                           established configuration settings such as password settings,\n                           audit policy changes, encryption settings, or logon controls,\n                           that were less stringent than required by the FDCC. For\n                           example:\n\n\n\n\n________________________________________________________________\nPage 1                                            Details of Finding\n\x0c                         \xe2\x80\xa2   The Oak Ridge National Laboratory (ORNL) had\n                             developed its own security configuration standard that\n                             was not based on a nationally recognized standard such\n                             as those developed by CIS or NIST. As such, the site\'s\n                             standard configuration settings conformed to less than\n                             50 percent of FDCC requirements. For instance,\n                             although the FDCC required that encryption algorithms\n                             compliant with the Federal Information Processing\n                             Standards issued by NIST be used, ORNL had not\n                             defined this setting in its minimum security\n                             configuration standards. Notably, ORNL officials\n                             recognized the need for more secure configurations and\n                             had begun piloting the FDCC settings on 500, or more\n                             than 20 percent, of its administrative desktops;\n\n                         \xe2\x80\xa2   At the Fermi National Accelerator Laboratory (FNAL),\n                             17 of 36 desktop configuration settings sampled were\n                             less rigorous than required by the FDCC. For example,\n                             FNAL did not log successful changes to its system\n                             audit policies even though the FDCC required that an\n                             audit entry be generated when a change to user rights or\n                             audit policies was successful, an action that could help\n                             detect unauthorized access to systems and data; and,\n\n                         \xe2\x80\xa2   At Lawrence Berkeley National Laboratory (LBNL),\n                             there were 168 instances where LBNL\'s established\n                             configuration settings differed from those required by\n                             the FDCC. Although certain of the differences may\n                             have enhanced security, 18 of 36 settings sampled were\n                             less stringent than FDCC, including the requirement to\n                             rename default settings for system administrator and\n                             guest accounts. Leaving the default system\n                             administrator account name unchanged increases the\n                             risk that an attacker or unauthorized user could\n                             successfully log on to the system.\n\n                      Although deviations to configuration settings are necessary to\n                      account for varying operational environments such as research\n                      and development, OMB instructed agency Chief Information\n                      Officers to provide NIST with documentation of any deviations\n                      from the FDCC configurations and the rationale for doing so.\n                      However, we found that none of the seven field sites reviewed\n                      had met this requirement. For example, officials at five sites\n                      noted that since the use of FDCC settings was not required by\n                      the Science Program Cyber Security Plan (PCSP), they had not\n                      taken action to review the FDCC requirements and, therefore,\n\n________________________________________________________________\nPage 2                                            Details of Finding\n\x0c                      had not documented the rationale to deviate. Although Science\n                      had taken positive steps to strengthen IT security by correcting\n                      cyber security weaknesses identified by various assessments,\n                      we noted that successful implementation of the FDCC settings\n                      should help to further strengthen its security posture by\n                      reducing opportunities for hackers to access and exploit the\n                      program\'s systems. In addition, the use of readily available and\n                      easily implemented security settings such as those in the FDCC\n                      can help reduce the risk of compromise without, in most cases,\n                      adversely impacting the program\'s mission.\n\n                                           IT Hardware Acquisition\n\n                      Our prior report on Facility Contractor Acquisition and\n                      Management of Information Technology Hardware (DOE/IG-\n                      0768, June 2007) highlighted several issues and provided\n                      recommendations to improve management of IT hardware\n                      acquisition within the Department. In response to our\n                      recommendations, Science officials issued a memorandum in\n                      March 2008 directing field sites to establish IT hardware\n                      standards and utilize such standards to streamline acquisitions.\n                      However, we found that Science still had not implemented a\n                      fully effective process for acquiring IT hardware. In particular,\n                      Science had not always established and enforced IT hardware\n                      standards \xe2\x80\x93 such as system configuration and acquisition\n                      standards \xe2\x80\x93 for desktop and laptop computers or related\n                      peripherals, resulting in higher than necessary expenditures.\n\n                      We found that system configuration standards and the prices\n                      paid for desktop and laptop computers and related peripheral\n                      equipment varied widely at the sites reviewed. Specifically,\n                      the average price paid for a desktop computer ranged from\n                      $1,628 to $2,814 at the five laboratories reviewed, a price\n                      variance of 73 percent. At FNAL and the SLAC National\n                      Accelerator Laboratory (SLAC), neither of which had\n                      developed standards for desktop computers, average prices\n                      were $1,677 and $2,814, respectively. Notably, SLAC offered\n                      to its users a customizable website recommending particular\n                      desktop and laptop models. However, users were able to\n                      configure their requested computers with a wide variety of\n                      additional accessories and options, effectively diminishing the\n                      benefits of using more standardized configurations.\n\n                      Similar to findings noted in our prior report, we determined\n                      that the lack of common hardware standards for desktops and\n                      laptops contributed to an overall variance of $2.7 million in\n\n________________________________________________________________\nPage 3                                            Details of Finding\n\x0c                      acquisition costs over the past three years. In addition, five of\n                      seven sites reviewed had not established standards for IT\n                      peripheral equipment such as monitors and printers. At SLAC,\n                      prices paid for computer monitors that were the same or similar\n                      to one another ranged from $256 to $1,236. While SLAC\n                      officials disclosed that the average prices paid for three\n                      different sizes of monitors ranged from $239 to $289,\n                      acquisition data provided by the site demonstrated that the\n                      actual average prices paid were higher than this for all three\n                      sizes. In total, we found that the four facility contractor sites\n                      reviewed could have saved over $125,000 in FY 2008 by\n                      enforcing standards for computer monitors.\n\n                      Even when sites had developed standards for IT hardware, such\n                      standards were not always enforced. For instance, although\n                      Argonne National Laboratory (ANL) established only one\n                      recommended brand for its standard desktop and laptop\n                      computers, we found that the laboratory had purchased\n                      computers from 24 manufacturers over the past year. As noted\n                      in our prior report and numerous industry best practices,\n                      adherence to existing standards and the elimination of multiple\n                      brands and models of computers has the potential to\n                      significantly reduce support costs related to maintenance and\n                      cyber security.\n\n                      LBNL limited the application of its established desktop and\n                      laptop standards to only a small group of administrative\n                      personnel and not to the larger scientific workforce. In\n                      particular, even though there were 5 recommended models of\n                      computers, we noted that over 25 different models were\n                      purchased in FY 2008. An official at the site informed us that\n                      this condition existed because the hardware needs differed\n                      from project to project. While we agree that needs may vary,\n                      we noted that ORNL \xe2\x80\x93 which has scientific projects similar to\n                      LBNL \xe2\x80\x93 established hardware standards and enforced them on\n                      both its administrative and scientific workforce. Officials at\n                      ORNL informed us that while the site allows for limited\n                      exceptions to their standards, employees are required to follow\n                      a rigid process to justify the purchase of non-standard\n                      hardware.\n\n                                            IT Support Services\n\n                      Science had not implemented a common infrastructure for\n                      users at its Federal sites and continued to maintain an IT\n                      environment independent of DOE-COE. In particular, each of\n\n________________________________________________________________\nPage 4                                            Details of Finding\n\x0c                      Science\'s three primary Federal sites implemented IT\n                      infrastructures independent of one another. In addition,\n                      Science maintained its reluctance to migrate to DOE-COE \xe2\x80\x93\n                      the Department\'s shared IT environment \xe2\x80\x93 an environment that\n                      was designed to decrease costs, improve security, and enhance\n                      user satisfaction. In short, Science maintained a bifurcated IT\n                      infrastructure that did not take advantage of opportunities to\n                      eliminate duplication. In addition, program officials had not\n                      appropriately tracked the costs to support Federal users to help\n                      ensure they were providing IT support services at the lowest\n                      costs.\n\n                      Despite having similar missions and computing requirements,\n                      each of Science\'s three primary Federal sites at the Oak Ridge\n                      Office (Oak Ridge), Chicago Office (Chicago), and\n                      Headquarters had implemented IT support solutions\n                      independent of one another. Although Science had the\n                      opportunity to consolidate its Federal IT environment to\n                      leverage potential cost savings, each of the three locations\n                      utilized a different contractor to manage support services such\n                      as helpdesk support, operated different IT infrastructures, and\n                      purchased hardware and software from different vendors. In\n                      particular, while opportunities existed for the three support\n                      centers to integrate functions such as email infrastructures and\n                      file servers, they each managed their own services at varying\n                      costs.\n\n                      In addition, each of the Science Federal facilities utilized\n                      different contractors to support their helpdesk functions,\n                      offsetting any potential savings that could have been realized\n                      through consolidation. Each of the three Federal sites also\n                      utilized different hardware and varying methods to acquire the\n                      hardware. For instance, the average price of hardware for a\n                      desktop package acquired in FY 2008 was $1,472 at Chicago,\n                      but only $783 at Headquarters. Oak Ridge chose to lease its\n                      desktop package at a cost of about $1,160 over a four-year\n                      period rather than purchase equipment as the rest of the Federal\n                      community had done. By consolidating into a single,\n                      integrated IT infrastructure similar to other efforts such as\n                      DOE-COE, it is likely that Science could realize reduced IT\n                      costs through economies of scale, allowing for easier\n                      management of its infrastructure, and potentially enhancing its\n                      overall security posture.\n\n                      While Science chose not to consolidate its Federal IT\n                      environments, we found that the program was unable to\n\n________________________________________________________________\nPage 5                                            Details of Finding\n\x0c                      document the true cost of providing IT support services to its\n                      Federal users. Specifically, each of the three Federal facilities\n                      reviewed tracked their support costs differently, making it\n                      virtually impossible to compare the actual cost of supporting a\n                      user. For instance, the reported monthly costs per user ranged\n                      from $172 at Chicago to $351 at Oak Ridge. However, we\n                      noted that Chicago had not included costs related to items such\n                      as cyber security and network infrastructure in its calculations.\n                      IT officials at Chicago commented that an attempt was made to\n                      calculate IT support costs, but they were unable to conclude\n                      what the true cost per user was. In addition, we found that\n                      Science Headquarters excluded costs for items such as network\n                      administration and security monitoring software in its\n                      calculation.\n\n                      Absent effective cost tracking, Science\'s methodology for\n                      calculating IT support costs did not adequately support its\n                      decision not to migrate to DOE-COE. Specifically, Science\n                      disclosed that it calculated, based on DOE-COE cost\n                      categories, the full-cost of its IT support program to be $203\n                      per user per month at Headquarters as compared to $300\n                      charged by the Office of the Chief Information Officer (OCIO)\n                      under DOE-COE. However, as previously noted above, we\n                      found that certain cost elements such as network administration\n                      and security monitoring software were excluded from Science\'s\n                      cost calculation. Based on available supporting documentation\n                      reviewed, we determined that the actual cost paid for each\n                      Science user at Headquarters could be as much as $350 each\n                      month, or 17 percent more than DOE-COE. Our calculations\n                      were based on information reported by Science to OMB in the\n                      Department\'s Exhibit 53, as well as services worth about $52\n                      per month per user that were provided to Science, but were\n                      subsidized by the OCIO. Although Science officials\n                      commented that they did not utilize all of the services provided\n                      by the OCIO such as firewall operations and maintenance,\n                      email filtering, and patch management, they did not notify the\n                      OCIO so that these services could be discontinued. In addition,\n                      Science planned to independently acquire many of the same\n                      services already provided by the OCIO, potentially increasing\n                      costs for the Department.\n\n                      Contrary to the information noted above, Science officials\n                      disclosed in preliminary comments to our report that they\n                      continued to believe the program\'s costs for IT support services\n                      and needed hardware were lower than DOE-COE. However,\n                      even if Science was able to successfully calculate the full-cost,\n\n________________________________________________________________\nPage 6                                            Details of Finding\n\x0c                      continuing its stand-alone position may not be advantageous to\n                      the Department. As we have noted in a series of past reports\n                      related to consolidation of IT services and products, significant\n                      savings could have been realized from aggregating demand\n                      across the enterprise. For instance, our report on The\n                      Department\'s Efforts to Implement Common Information\n                      Technology Services at Headquarters (DOE/IG-0763, March\n                      2007) disclosed that organizations\' reluctance to participate in\n                      DOE-COE prevented the Department from realizing significant\n                      savings through consolidation of common infrastructures.\n                      Realizing these goals should, if properly executed, help to\n                      eliminate redundancy at Headquarters and other locations and\n                      further increase savings in a truly enterprise-wide DOE-COE\n                      environment.\n\nPolicies and          These problems occurred because Science had not developed\nPerformance           adequate policies and procedures relevant to implementing the\nMonitoring            FDCC and acquiring IT hardware. In addition, Science had not\n                      effectively monitored the performance of its program elements\n                      and had not implemented an appropriate mechanism to track IT\n                      related costs.\n\n                                          Policies and Procedures\n\n                      Science Headquarters and its field sites had not developed\n                      adequate policies and procedures for ensuring effective\n                      implementation of the FDCC and IT hardware acquisition\n                      practices. Specifically, Science had not incorporated into its\n                      PCSP or site-level contracts the Federal requirement for\n                      implementing FDCC configurations. While Science officials\n                      directed field sites, through the management and operating\n                      contracts, to utilize security configurations such as the FDCC\n                      in all IT acquisitions, we found that the direction was neither\n                      adequate nor followed by sites. In particular, the direction\n                      required that the FDCC be applied to new IT acquisitions, but\n                      it did not apply to computers acquired before the direction was\n                      issued. In addition, the direction did not address the need to\n                      document risk-based decisions to deviate from the FDCC, a\n                      key requirement of OMB. Furthermore, we found that\n                      although the purpose of the PCSP is to identify cyber security\n                      requirements for Science and provide a consistent method of\n                      ensuring security of information and systems across the\n                      program, officials at five of seven field sites noted that the\n                      FDCC was not required in the PCSP or site-level contracts, and\n                      therefore it was not implemented in their environments.\n\n\n\n________________________________________________________________\nPage 7                                            Details of Finding\n\x0c                      Additionally, Science had not developed and implemented\n                      policies requiring establishment and enforcement of hardware\n                      standards, and coordination of IT hardware purchases both\n                      within the program, and across the Department. The lack of\n                      such a policy resulted in an uncoordinated approach to\n                      acquisition of hardware and support services at the sites\n                      reviewed. Notably, Science officials disclosed that they had\n                      initiated changes to the PCSP to provide more guidance on\n                      Federal requirements and two of the sites reviewed had\n                      initiated testing of the FDCC settings in their environment.\n\n                                    Monitoring Performance and Costs\n\n                      Science Headquarters had not adequately monitored\n                      performance to ensure that prior recommendations made by the\n                      Office of Inspector General were addressed and had not\n                      implemented a process to track IT-related costs. In particular,\n                      despite prior recommendations that the Department, including\n                      Science, develop and implement hardware standards and utilize\n                      such standards to streamline acquisitions, officials had not\n                      ensured that these recommendations were adequately\n                      addressed. For instance, an official at LBNL commented that\n                      his site did not concur with the findings raised in the previous\n                      audit, and therefore had not implemented any of the\n                      recommendations. However, the LBNL official also noted that\n                      the site had implemented certain cost savings measures such as\n                      an automated system for purchasing hardware. Similarly, our\n                      review of The Department\'s Efforts to Implement Common\n                      Information Technology Services at Headquarters (DOE/IG-\n                      0763, March 2007) recommended that the Department\n                      complete migration of program elements to DOE-COE. At the\n                      time, a request from Science for a waiver on migration was\n                      disapproved by the then Deputy Secretary, but Science has\n                      continued to resist. Although program officials noted that a\n                      waiver was subsequently granted in February 2008, they were\n                      unable to provide documentation to support this statement.\n\n                      Officials also had not implemented a process to effectively\n                      capture the total cost of providing IT support services. As\n                      noted earlier, each of the three Federal sites reviewed tracked\n                      their costs differently, effectively eliminating the ability to\n                      compare the costs of the programs and determine whether they\n                      were successful based on the amount of funds expended.\n                      Furthermore, the lack of adequate cost information prevented\n                      the program from developing a cost-benefit analysis to\n                      determine whether migration to DOE-COE would be\n\n________________________________________________________________\nPage 8                                            Details of Finding\n\x0c                       advantageous. Although Science Headquarters attempted to\n                       align its costs categories with DOE-COE for comparison\n                       purposes, neither Chicago nor Oak Ridge was able to provide\n                       similar comparisons. Without a consistent methodology, both\n                       the OCIO and Science were unable to determine who could\n                       provide a more efficient IT support solution.\n\nInformation Security   Absent an effective IT management program, Science may be\nand Cost Savings       unable to realize the benefits of improved security over its\nOpportunities          information systems, reduce costs associated with hardware\n                       acquisition, and lower IT support costs. For instance,\n                       according to an analysis conducted by the National Security\n                       Agency, as many as 90 percent of all vulnerabilities can be\n                       eliminated through up-to-date patching and implementation of\n                       secure configurations such as those included in the FDCC. In\n                       addition, the Office of Health, Safety and Security recently\n                       completed a review of Science sites that disclosed numerous\n                       security vulnerabilities that could have been addressed through\n                       stronger configurations, including better management of\n                       network administrator password controls. In addition to the\n                       security benefits, significant cost savings could be realized\n                       through the implementation of standard configurations. For\n                       example, the United States Air Force was able to reduce its IT\n                       management costs by 30 percent and save $56 million by\n                       deploying configuration standards similar to the FDCC on\n                       more than 500,000 workstations. While the Department may\n                       not be able to achieve identical savings, this example\n                       demonstrates the likelihood that significant cost reductions\n                       could be realized.\n\n                       Furthermore, Science may continue to spend more than\n                       necessary acquiring IT hardware and support services.\n                       Specifically, we determined that Science could potentially\n                       realize savings of more than $3.3 million over the next three\n                       years at the sites reviewed by better controlling hardware costs\n                       and implementing standards for certain equipment. In addition,\n                       Science will continue to pay for duplicative IT support services\n                       and fail to take advantage of opportunities to lower costs and\n                       apply potential savings to mission-related work. An OCIO\n                       official also told us that if Science was included in the DOE-\n                       COE infrastructure, it could potentially reduce the overall cost\n                       per user for each of the programs participating in the initiative\n                       and enable the Department to fully realize the expected cost\n                       savings of the DOE-COE initiative.\n\n\n\n\n________________________________________________________________\nPage 9                                            Details of Finding\n\x0cRECOMMENDATIONS      To address the issues identified in this report, we recommend\n                     that the Under Secretary for Science:\n\n                        1. Include the FDCC in the Science program-level cyber\n                           security policies and site-level contracts and ensure\n                           implementation of the requirements, as appropriate;\n                           and,\n\n                        2. Require sites to establish and follow IT hardware\n                           standards and coordinate purchases, where applicable,\n                           to take advantage of volume discounts including the use\n                           of enterprise-wide purchasing agreements.\n\n                     To ensure that a uniform approach is consistently applied to\n                     measure the cost-effectiveness of IT support programs, we also\n                     recommend that the Under Secretary for Science, in\n                     conjunction with the Department\'s Chief Information Officer:\n\n                        3. Develop and implement a methodology for consistently\n                           capturing and reporting common IT support costs; and,\n\n                        4. Re-evaluate whether Science should leverage the DOE-\n                           COE services.\n\nMANAGEMENT           Science management generally concurred with the first three\nREACTION             recommendations, but non-concurred with recommendation\n                     four. In addition, management indicated that it planned to\n                     address many of the issues identified in our report. However,\n                     management indicated concerns with a number of assertions\n                     made in our report. We have addressed management\'s\n                     comments below and made technical changes to the report, as\n                     appropriate. Management\'s comments are included in their\n                     entirety in Appendix 3. The OCIO did not comment on the\n                     report.\n\n                     While management agreed with our recommendation to\n                     implement the FDCC, as appropriate, it did not believe that the\n                     FDCC set minimum security configuration requirements.\n                     However, management noted that it plans to modify existing\n                     site-level contracts to require the evaluation and\n                     implementation of the FDCC.\n\n                     Management disclosed that it supported the report\'s\n                     recommendation to lower IT hardware acquisition costs and\n                     implement hardware standards, as appropriate, to meet mission\n\n\n\n________________________________________________________________\nPage 10                             Recommendations and Comments\n\x0c                     needs. However, Science disagreed with several of the report\'s\n                     conclusions and noted that an analysis of the costs and benefits\n                     of implementing standards must be considered. Management\n                     also commented that it had established and enforced IT\n                     hardware standards that meet local mission needs.\n                     Furthermore, management stated that it would evaluate the\n                     effectiveness of guidance issued in March 2008 to its federal\n                     Site Offices related to the development and implementation of\n                     hardware standards, and issue additional guidance, as\n                     appropriate.\n\n                     Management commented that it had evaluated the DOE-COE\n                     model on numerous occasions, but believed it had implemented\n                     a federated IT model that provided the best costs and service to\n                     meet the mission needs of the program. Science disagreed with\n                     the report\'s assertion that it did not provide costs that aligned\n                     with DOE-COE for comparison and that the methodology of\n                     tracking costs did not adequately support the decision not to\n                     migrate to DOE-COE. Management pledged to work with the\n                     Department\'s OCIO to ensure that a uniform approach is\n                     applied to measure the cost-effectiveness of IT support\n                     programs.\n\nAUDITORS             Management\'s comments are generally responsive to the\nCOMMENTS             report\'s first three recommendations. However, we continue to\n                     recommend that Science, in conjunction with the OCIO, re-\n                     evaluate whether the program should leverage the DOE-COE\n                     services. Although management commented that FDCC does\n                     not set minimum requirements, OMB directed agencies to\n                     adopt and implement, at a minimum, the FDCC configuration\n                     settings on their systems, including those operated on their\n                     behalf by contractors. While OMB allows deviations from the\n                     FDCC, agencies are required to assess and implement the\n                     FDCC in their environment to the extent possible and\n                     document any deviations.\n\n                     We commend management\'s support for lowering IT hardware\n                     acquisition costs and implementing hardware standards.\n                     However, as demonstrated by our audit work, Science had not\n                     established and enforced hardware standards. Specifically, as\n                     noted in the report, two sites reviewed had not established\n                     standards for desktop computers. Five of seven sites reviewed\n                     had not established standards for IT peripheral equipment such\n                     as monitors and printers. Furthermore, we continue to note that\n                     significant savings could be realized by the program through\n                     the implementation of hardware standards.\n\n________________________________________________________________\nPage 11                                                Comments\n\x0c                     Although Science indicated that it had implemented a federated\n                     IT model, our review found that each of the federal sites\n                     reviewed utilized different mechanisms for acquiring and\n                     managing IT hardware and support services. In addition, as\n                     demonstrated in our report, the methodology used by Science\n                     Headquarters to calculate its costs was different from DOE-\n                     COE and excluded costs for items such as network\n                     administration and security monitoring software. Issues related\n                     to the inability to track and compare support costs were also\n                     identified at Chicago and Oak Ridge. Based on reviews\n                     conducted by both the Office of Inspector General and industry\n                     experts, we noted that significant savings could be realized by\n                     moving towards shared services and a common infrastructure.\n\n\n\n\n________________________________________________________________\nPage 12                                                Comments\n\x0cAppendix 1\n\nOBJECTIVE             To determine whether the Office of Science (Science)\n                      adequately managed its information technology (IT) resources.\n\nSCOPE                 The audit was performed between October 2008 and August\n                      2009 at the Department of Energy (Department) Headquarters\n                      in Washington, DC, and Germantown, Maryland; the Argonne\n                      National Laboratory and the Chicago Office, Argonne, Illinois;\n                      the Fermi National Accelerator Laboratory, Batavia, Illinois;\n                      the Lawrence Berkeley National Laboratory, Berkeley,\n                      California; the SLAC National Accelerator Laboratory, Menlo\n                      Park, California; and the Oak Ridge Office and Oak Ridge\n                      National Laboratory, Oak Ridge, Tennessee.\n\nMETHODOLOGY           To accomplish the audit objective, we:\n\n                         \xe2\x80\xa2   Reviewed applicable laws and regulations, Department\n                             of Energy (Department) directives, and Office of\n                             Management and Budget guidance pertaining to cyber\n                             security practices and acquisition of IT resources;\n\n                         \xe2\x80\xa2   Reviewed prior reports issued by the Office of\n                             Inspector General, the Government Accountability\n                             Office, and the Department\'s Office of Health, Safety\n                             and Security;\n\n                         \xe2\x80\xa2   Reviewed numerous documents related to the\n                             Department\'s management of hardware acquisition, as\n                             well as cost and functionality of Science\'s IT support\n                             services solutions;\n\n                         \xe2\x80\xa2   Evaluated security configuration standards\n                             implemented on certain operating systems;\n\n                         \xe2\x80\xa2   Held discussions with program officials and personnel\n                             from Department Headquarters and field sites reviewed;\n                             and,\n\n                         \xe2\x80\xa2   Selected numerous weaknesses identified in various\n                             cyber security assessments to determine whether the\n                             weaknesses were corrected in a timely manner.\n\n                      We conducted this performance audit in accordance with\n                      generally accepted Government auditing standards. Those\n                      standards require that we plan and perform the audit to obtain\n                      sufficient, appropriate evidence to provide a reasonable basis\n                      for our findings and conclusions based on our audit objectives.\n\n________________________________________________________________\nPage 13                            Objective, Scope, and Methodology\n\x0cAppendix 1 (continued)\n\n                      We believe the evidence obtained provides a reasonable basis\n                      for our findings and conclusions based on our audit objectives.\n                      The audit included tests of internal controls and compliance\n                      with laws and regulations to the extent necessary to satisfy the\n                      audit objective. Because our review was limited, it would not\n                      necessarily have disclosed all internal control deficiencies that\n                      may have existed at the time of our audit. We also assessed\n                      performance measures in accordance with the Government\n                      Performance and Results Act of 1993 relevant to the\n                      management of Science\'s information technology program.\n                      We did not rely on computer-processed data to satisfy our audit\n                      objective.\n\n                      Management waived an exit conference.\n\n\n\n\n________________________________________________________________\nPage 14                            Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                                     PRIOR REPORTS\n\n\xe2\x80\xa2   Evaluation Report on The Department\'s Unclassified Cyber Security Program - 2008\n    (DOE/IG-0801, September 2008). The Office of Inspector General (OIG) found that\n    while the Department of Energy (Department) made positive accomplishments,\n    additional action is required to further enhance the Department\'s unclassified cyber\n    security program and help reduce risks to its systems and data. For instance, the review\n    identified opportunities for improvements in areas such as certification and accreditation\n    of systems, systems inventory, contingency planning, and segregation of duties. These\n    internal control weaknesses existed, at least in part, because not all Department program\n    organizations had revised and implemented policies incorporating Federal and\n    Departmental cyber security requirements in a timely manner.\n\n\xe2\x80\xa2   Audit Report on Facility Contractor Acquisition and Management of Information\n    Technology Hardware (DOE/IG-0768, June 2007). The OIG review established that\n    certain Department facility contractors had not adequately managed the acquisition and\n    control of information technology (IT) hardware. A number of contractors had not\n    consistently taken advantage of opportunities to reduce acquisition and support costs,\n    addressed security concerns related to certain aging systems, or ensured that\n    accountability was maintained over sensitive computers and devices. These problems\n    occurred because the Department had not developed a coordinated approach to IT\n    hardware acquisition, management, and control.\n\n\xe2\x80\xa2   Audit Report on The Department\'s Efforts to Implement Common Information\n    Technology Services at Headquarters (DOE/IG-0763, March 2007). The OIG identified\n    that although the Department had made progress in implementing the Department of\n    Energy\'s Common Operating Environment (DOE-COE) at Headquarters, it had not fully\n    achieved the goals and objectives envisioned by the original initiative. Five major\n    organizations, accounting for 40 percent of the user population, had not migrated to\n    DOE-COE. Officials responsible for implementation did not always follow Department\n    and Federal project management practices, such as developing formal migration plans\n    and conducting requirements analyses.\n\n\xe2\x80\xa2   Audit Report on Information Technology Support Services at the Department of Energy\'s\n    Operating Contractors (DOE/IG-0725, April 2006). The Department continues to face a\n    number of challenges related to contractor procured or furnished IT support services. In\n    particular, contractors failed to take advantage of opportunities to aggregate demand to\n    leverage or reduce IT support service costs. In addition, per user support costs varied\n    substantially between contractor sites. A number of contractors did not actively capture\n    or track functional IT support costs. In the absence of a framework, the Department did\n    not require contractors to adopt other available methods for reducing costs such as\n    coordinating with established consortium buying groups to consolidate demand and\n    obtain volume discounts.\n\n\n\n\n________________________________________________________________\nPage 15                                              Prior Reports\n\x0cAppendix 3\n\n\n\n                                         Department of Energy\n                                          Washington. DC 20585\n\n                                             September 29, 2009\n\n\n      MEMORANDUM FOR RICKEY R. J-IASS\n                     DEPUTY INSPECTOR GENERAL FOlUDIT SERVICES\n                     OFFICE OF INSPECTOR GENERtL\n\n      FROM:                    JEFFREY T. SALMON      ~    111\\ S}\n                               DEPUTY DIRECTOR FOR R~URCE MANAGEMENT\n                               OFFICE OF SCIENCE\n\n      SUBJECT:                  Response to Inspector General\'s Draft Report, \'The Office of\n                                Science\'s Management oflnfonllation Technology Resources."\n\n      The Office of Science (SC) appreciates the opportunity to review and comment on the subject\n      audit. The following rel1eets the views of the Office of Science. The Office of the Chief\n      lnfomlation Officer (OClO) did not have comments on the subject audit.\n\n      SC is commiued to implementing cyber security in a risk-based approach at SC Federal sites and\n      at the National Laboratories, while ensuring it does not hinder the innovative research and\n      development mission of the National Laboratories. SC generally concurs with the\n      recommendation to implement the Federal Desktop Core Configuration, "as appropriate".\n\n      SC supports the Report\'s recommendation to lower IT hardware acquisition costs and\n      implementing hardware standards, as appropriate to meet the mission needs. However, SC\n      respectfully disagrees with several of the Report\'s conclusions, The Report unfavorably\n      compares the Lawrence Berkley National Laboratory (LBNL) to the Oak Ridge National\n      Laboratory (ORNL) but it docs not provide analysis on the costs/benefits of the approach being\n      used by each respective laboratory. The infonnation, the scientific productivity, the morale of the\n      employees, and the costs to administer the program must be considered alongside the strategic\n      and thoughtful approach bl;:ing used by each Laboratory to build systems and processes designed\n      to support their diverse environment and maximally deliver productive technologies.\n      Standardization at the National Laboratories to achieve potential cost savings should more\n      accurately be compared to Tier 1 research environments, as the National Laboratories arc an\n      environment that generates diverse ideas and computer needs.\n\n      Argonne National Laboratory (ANL) purchases all equipment and supplies in accordance with its\n      fundamental scientific mission. The Report docs not recognize that only 20% of the vendors used\n      by ANL in a particular year receive 90% of ANL\'s dollar volume in computer purchases,\n      Wherever possible, ANL uses its preferred vendors and contracts to supply computer equipment.\n      Periodically, the scientific mission requires ANL to go outside of its prt\':ferred vendors and\n      contracts.\n\n      SC has established and enforces IT hardware standards that meet the local mission needs. The\n      Report docs not take into account the one-quarter refresh rate at Oak Ridge Office or the 100%\n\n\n\n\n___________________________________________________________________\nPage 16                                         Management Comments\n\x0cAppendix 3 (continued)\n\n\n                                                                                                        2\n\n\n     refresh at SC 11eadquarters (HQ) that resulted in better pricing compared to the negotiated DOE\n     pricing. Each year thc hardware vendors change hardware models multiple times during the year\n     and modify their pricing. which explains the variation in price for the same item. It is more\n     accurate to anal)\'7.c the three or four year life cycle COSlS to acquire IT hardware, instead of\n     comparing individual years.\n\n     SC has evaluated thc DOE-COE model on numerous occasions and implemented a federated IT\n     model lmd in doing SO has obtained the best costs and service to mect the mission needs of the\n     program. SC disagrees wilh the Report\'s assertion that SC did not provide costs that align with\n     DOE-COE for comparison and Ihe methodology of tracking costs did not adequately support the\n     decision to not migrate to DOE-COE. Oak Ridge provided sufficient detail to the IG that aligned\n     with the DOE-COE categories and Chicago\'s cost aligned with the categories at the time of\n     original submission. The Report compares the " ... $300 charged by the Office of the Chief\n     Information Offieer (OCIO).,.", but does not provide evidence this is the true cost under DOE-\n     COE, nor that the per scat cost for the Department would be decreased by SC joining DOE-COE.\n     The then SC Deputy Director of Resource Management met with the then Deputy Secretary and\n     Chicflnfonnulion Offil:l:r ill fdJlUi1ly 2008 to discuss DOE-COE and the pricing for SC IlQ\n     compared to DOE-COE. The result of the meeting was that SC would not be included in DOE-\n     COE because the SC model was more cost effcctive,\n\n     SC disagrees with the Report\'s claims that "significant savings could be realized" by\n     modifying/consolidating IT purchasing and joining DOE-COE. 11le only savings noted is \'\xc2\xb7S3.3\n     million o,\'cr three years" which is 0.021% per year and explained by variations in a produc(s\n     price over the course of a single year from a single vendor and including computer equipment\n     specifically ordered to meet the scientific mission.\n\n     SC continues to c\\\'aluale the IT costs for support and hardware. As part of its mission to deli"er\n     open science and support basic scientific research, SC provides funding for the high-speed\n     Energy Sdcncc Network (ESnet). The ESnet infrastructure is pan of (he overall SC direction to\n     reduce COSIS and SC is evaluating the long-tenn approach to use ESnet to meet its mission needs,\n     as all ofSC currently maintains connections to ESnet. This approach will reduce the\n     infrastructure-related costs to SC and provide for a morc open environment to support the SC\n     mission in support of the Department.\n\n     Attached arc SC\'s responses to the facts presented, proposed recommendations, and estimated\n     potemial monetary impact.\n\n     Attachment\n\n     C,\n     Steve Binklcy/SC-1\n     Patricia DehmerlSC-2\n     George MnloshlSC-J\n     ThomtlS PhanlSC-45\n\n\n\n\n___________________________________________________________________\nPage 17                                         Management Comments\n\x0c                                                             IG Report No. DOE/IG-0831\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Felicia Jones at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                  http://www.ig.energy.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'